chore: removing wait of vapb deletion (open-policy-agent#3718)

Signed-off-by: Jaydip Gabani <[email protected]> (cherry picked from commit 9a85a21)
JaydipGabani · Dec 4, 2024 · 9c55fb6 · 9c55fb6
1 parent 516fb3b
commit 9c55fb6
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 23 deletions.
diff --git a/pkg/controller/constrainttemplate/constrainttemplate_controller.go b/pkg/controller/constrainttemplate/constrainttemplate_controller.go
@@ -310,6 +310,20 @@ func (r *ReconcileConstraintTemplate) Reconcile(ctx context.Context, request rec
 				logAction(ct, deletedAction)
 				r.metrics.registry.remove(request.NamespacedName)
 			}
+			isAPIEnabled, groupVersion := transform.IsVapAPIEnabled(&logger)
+			if isAPIEnabled {
+				currentVap, err := vapForVersion(groupVersion)
+				if err != nil {
+					return reconcile.Result{}, err
+				}
+				vapName := getVAPName(ctUnversioned.GetName())
+				currentVap.SetName(vapName)
+				if err := r.Delete(ctx, currentVap); err != nil {
+					if !apierrors.IsNotFound(err) {
+						return reconcile.Result{}, err
+					}
+				}
+			}
 		}
 		err = r.deleteAllStatus(ctx, request.Name)
 		return result, err
@@ -648,6 +662,10 @@ func vapForVersion(gvk *schema.GroupVersion) (client.Object, error) {
 	}
 }
 
+func getVAPName(constraintName string) string {
+	return fmt.Sprintf("gatekeeper-%s", constraintName)
+}
+
 func getRunTimeVAP(gvk *schema.GroupVersion, transformedVap *admissionregistrationv1beta1.ValidatingAdmissionPolicy, currentVap client.Object) (client.Object, error) {
 	if currentVap == nil {
 		if gvk.Version == "v1" {
@@ -806,7 +824,7 @@ func (r *ReconcileConstraintTemplate) manageVAP(ctx context.Context, ct *v1beta1
 			err := r.reportErrorOnCTStatus(ctx, ErrCreateCode, "Could not get VAP with runtime group version", status, err)
 			return err
 		}
-		vapName := fmt.Sprintf("gatekeeper-%s", unversionedCT.GetName())
+		vapName := getVAPName(unversionedCT.GetName())
 		logger.Info("check if VAP exists", "vapName", vapName)
 		if err := r.Get(ctx, types.NamespacedName{Name: vapName}, currentVap); err != nil {
 			if !apierrors.IsNotFound(err) && !errors.As(err, &discoveryErr) && !meta.IsNoMatchError(err) {
@@ -863,7 +881,7 @@ func (r *ReconcileConstraintTemplate) manageVAP(ctx context.Context, ct *v1beta1
 			err := r.reportErrorOnCTStatus(ctx, ErrCreateCode, "Could not get VAP with correct group version", status, err)
 			return err
 		}
-		vapName := fmt.Sprintf("gatekeeper-%s", unversionedCT.GetName())
+		vapName := getVAPName(unversionedCT.GetName())
 		logger.Info("check if VAP exists", "vapName", vapName)
 		if err := r.Get(ctx, types.NamespacedName{Name: vapName}, currentVap); err != nil {
 			if !apierrors.IsNotFound(err) && !errors.As(err, &discoveryErr) && !meta.IsNoMatchError(err) {

diff --git a/test/bats/helpers.bash b/test/bats/helpers.bash
@@ -73,21 +73,6 @@ wait_for_process() {
   return 1
 }
 
-wait_for_error() {
-  wait_time="$1"
-  sleep_time="$2"
-  cmd="$3"
-  while [ "$wait_time" -gt 0 ]; do
-    if eval "$cmd"; then
-      sleep "$sleep_time"
-      wait_time=$((wait_time - sleep_time))
-    else
-      return 0
-    fi
-  done
-  return 1
-}
-
 get_ca_cert() {
   destination="$1"
   if [ $(kubectl get secret -n ${GATEKEEPER_NAMESPACE} gatekeeper-webhook-server-cert -o jsonpath='{.data.ca\.crt}' | wc -w) -eq 0 ]; then

diff --git a/test/bats/test.bats b/test/bats/test.bats
@@ -61,8 +61,7 @@ teardown_file() {
 }
 
 @test "vap test" {
-  minor_version=$(echo "$KUBERNETES_VERSION" | cut -d'.' -f2)
-  if [ "$minor_version" -lt 28 ] || [ -z $ENABLE_VAP_TESTS ]; then
+  if [ -z $ENABLE_VAP_TESTS ]; then
     skip "skipping vap tests"
   fi
   local api="$(kubectl api-resources | grep validatingadmission)"
@@ -97,10 +96,8 @@ teardown_file() {
     kubectl delete --ignore-not-found -f ${BATS_TESTS_DIR}/constraints/all_ns_must_have_label_provided_vapbinding_scoped.yaml
 
     wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl delete --ignore-not-found -f ${BATS_TESTS_DIR}/templates/k8srequiredlabels_template_vap.yaml"
-    wait_for_error ${WAIT_TIME} ${SLEEP_TIME} "kubectl get ValidatingAdmissionPolicyBinding all-must-have-label-scoped"
-    wait_for_error ${WAIT_TIME} ${SLEEP_TIME} "kubectl get ValidatingAdmissionPolicyBinding all-must-have-label"
-    wait_for_error ${WAIT_TIME} ${SLEEP_TIME} "kubectl get ValidatingAdmissionPolicyBinding gatekeeper-all-must-have-label-scoped"
-    wait_for_error ${WAIT_TIME} ${SLEEP_TIME} "kubectl get ValidatingAdmissionPolicyBinding gatekeeper-all-must-have-label"
+    # wait for k8s to register deletion with eventual consistency
+    sleep 5
   fi
 }